On Wed, Nov 02, 2005 at 16:01:19 -0500, "Mark R. Dingee" <mark.dingee@cox.net> wrote:
> Thanks Bruno. I'm using a hash so I can merge info available in the HTTPS
> header with data I store on the server so that the hash can be reconstructed
> during the validation process from the raw elements. Tom Lane reminded me of
> using random seeds similar to what you are suggesting. I think I will try to
> incorporate that into the process. Perhaps a segment from the initial
> SSL_SESSION_ID may work without generating too much overhead.
Why do you need any more than the session id and the random number? Once you
switch to including some random data, it seems like it would be simpler to
just use random data/
>
> You're right, sniffing isn't a real concern for me in this application. My
> biggest concern is internal users playing around trying to find a backdoor
> into sensitive data.
If they have privileged accounts on the web server you may need to worry about
this.